Results 1 to 2 of 2

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

  1. 04-25-2013, 11:08 AM #1
    kathyet
    kathyet is offline
    Guest
    Join Date
    Aug 2009
    Posts
    9,266

    Mozilla takes hard stance on protecting Web site certificates

    Mozilla takes hard stance on protecting Web site certificates

    After telecom giant TeliaSonera allegedly allowed authoritarian governments to snoop on their citizens, Mozilla contemplates whether or not to issue it a new root certificate.
    by Dara Kerr
    April 18, 2013 4:24 PM PDT


    It's happened to everyone -- you visit a Web site and instead of the browser taking you directly to it, you get a notice that says you're about to visit an untrusted site. The reason this happens is because the browser hasn't certified the site.


    This type of action could mean a slow death for such a Web site, since messages like these tend to scare off users.


    Mozilla, Firefox's parent company, is now contemplating whether to give international telecom giant TeliaSonera this type of punishment, according to the Register. Apparently Mozilla might refuse to include a new root certificate in Firefox's list of trusted Certificate Authorities for TeliaSonera and the Web sites of the dozens of companies the telecom giant either owns or partially owns.
    What did TeliaSonera do to deserve this?


    Allegedly, the telecom company allowed Eastern European and Central Asian governments -- specifically Azerbaijan, Kazakhstan, Georgia, Uzbekistan, and Tajikistan -- to eavesdrop on citizen's private Internet use. The way TeliaSonera supposedly let this happen was by issuing certificates to the governments that let them pose as legitimate Web sites and decrypt Web traffic, according to the Register.


    "TeliaSonera's roots are a topic of active and public discussion in the Mozilla community," a Mozilla spokesperson told CNET. "We have not reached a decision at this time. The decision to trust a certificate authority in Mozilla products is one we make very carefully. Each authority is publicly vetted before inclusion, and is required to provide regular, public audits of policy compliance once included."


    A spokesperson for TeliaSonera told the Register that it has a "clean record" and like "all operators" of Web sites, it respects government requests for "lawful interception" of sites.

    Related stories



    According to Information Week Security, a TeliaSonera senior public relations manager, Irene Krohn, said last month that the company only allows for interception surveillance services when the law in each country calls for it.

    "The governments and security services of all countries in the world have the legal right to request information from operators and monitor network traffic for the purpose of fighting crime," Krohn said. "This is happening every day in all countries and applies to all operators. We are obliged to comply with the legislation of each country."


    While it's unclear what Mozilla will do, it does show that the company is looking at how Web site operators are working with authoritarian governments.
    CNET contacted TeliaSonera for comment. We'll update the story when we get more information.


    Updated at 6:05 p.m. PT with comment from Mozilla spokesperson.

    http://news.cnet.com/8301-1009_3-575...e757&ttag=e757
    Reply With Quote Reply With Quote
  2. 04-25-2013, 11:11 AM #2
    kathyet
    kathyet is offline
    Guest
    Join Date
    Aug 2009
    Posts
    9,266
    Oracle preps 128 security patches; Java gets 42

    Fixes are coming today for "hundreds" of Oracle products, following a series of high-profile corporate hacks pegged to a zero-day vulnerability in Java.
    by Zack Whittaker
    April 16, 2013 9:34 AM PDT


    Oracle will release today 128 fixes for security vulnerabilities that affect "hundreds" of its products.
    The software giant and Java maker said in a pre-release announcement today that four of the patches include fixes for Oracle's flagship database product, which can be exploited remotely without the need for a username or password.


    Also, 29 security fixes will arrive for Oracle Fusion Middleware, with 22 of these also for preventing attacks without the need for authentication.
    Affected components include Oracle HTTP Server, JRockit, WebCenter, and WebLogic.


    Both Oracle products have a common vulnerability scoring system (CVSS) rating of 10, described as the most severe vulnerability.'


    Oracle E-Business Suite contains six security fixes, Oracle Supply Chain Products Suite has three security fixes, and Oracle PeopleSoft Products contains 11 security fixes.
    Dozens more fixes for various Sun-branded products and Oracle financial software will arrive later today when Oracle releases the patches over the usual update channels.
    The "critical" patch update contains more security fixes than the release in January, which contained 86 fixes. The high impact nature of these updates mean that the affected Oracle products must be patched "as soon as possible," as a result of the "threat posed by a successful attack."


    Patches for Java
    The Web plug-in Java, developed by Oracle, will also receive a number of updates, including 42 security patches.
    Out of the total number, only three vulnerabilities relate to issues that are not remotely exploitable issues, meaning the software can be attacked over a network without the need for a username or password.
    Related stories



    Affected Java software includes Java 5 (Update 41) and earlier, Java 6 (Update 43) and earlier, and Java 7 (Update 17) and earlier. JavaFX 2.2.7 and earlier versions are also affected.


    Under Oracle's own CVSS rating system, some flaws rate as important though not critical, while some reach the highest rating of 10.


    It comes only a few months after Java software was pinpointed by a number of major technology companies as being the root cause of a series of successful corporate hacking attacks.


    Facebook, Apple, Twitter, and NBC, as well as a number of others, all suffered as a result of a zero-day vulnerability in Java that led to hackers infiltrating internal networks in February.


    Facebook confirmed that its internal network breach was a result of a zero-day exploit in the Java plug-in, as did Apple in a statement in mid-February. Law-enforcement agencies were informed in both cases.


    Others came forward after initial reports suggested that Chinese hackers were behind the attacks, following reports of intrusions by The New York Times and other newspapers.
    A "watering hole" technique was user by hackers attacking a popular iPhone and iPad development site that infected Java-running Apple MacBook machines. The site, riddled with malware that was injected into the Web site's code, used an exploit in the Java Web plug-in to gain access to employee laptops.


    This story originally posted as "Oracle to release 128 security patches, hundreds of products affected" on ZDNet.

    Originally posted at Business Tech

    http://news.cnet.com/8301-1009_3-575...e757&ttag=e757
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules